ISO 27001 certification requires a substantial amount of time, energy, and money. Organizations that pursue this certification wish to ensure that their resources don’t go to waste, or perhaps, once after achieving compliance with ISO 27001, they need to maintain their compliance. In either of these cases, the first question which comes to the surface is – how?
The answer can be found in the form of internal audits. These audits are designed to evaluate your organization the same way an external auditor would, helping you determine whether your organization is ready to achieve certification and maintain compliance.
From preparing for the audit to compliance with industry standards, internal auditing requires organizations to go through several steps. This article provides you with a step-by-step guide that doubles as an ISO 27001 internal audit checklist to tick off all important steps before applying for the final certification.
What is an ISO 27001 internal audit?
An internal audit performs the same role as that of a mock test before appearing for the final examination. Before an external auditor performs the certification audit, organizations conduct an internal audit to evaluate whether the organization’s Information Security Management System (ISMS) is at par with the ISO standards.
In simpler terms, an internal audit is meant to help your organization identify gaps or deficiencies that can impact the ability of ISMS to meet its information security objectives. It does so by identifying areas requiring improvement and bringing it to your attention.
Internal audits are not a one-time occurrence. Organizations must conduct internal audits at predetermined intervals per ISO/IEC 27001 requirements. These requirements are specified under Clause 9.2 of the ISO/IEC 27001 standard. It describes that internal audits must be:
- Planned to be conducted at regular intervals
- Containing defined audit criteria along with a scope of each audit, recorded and documented formally
- Performed by auditors selected after careful consideration so that the audit report is objective and impartial
- Reported to the management with recorded observations
- Included with proper documentation in the organization’s records
Who can perform an ISO 27001 internal audit?
One of the primary points of difference between internal and external audits is that internal audits can be performed by the organization’s employees, an independent third-party auditor, or a consulting firm, depending on the organization’s choice.
As opposed to the ISO 27001 certification audits, accredited external auditors are not mandatorily required to conduct internal audits. That said, Clause 9.2 of the ISO 27001 standard states that the auditor chosen to perform an internal audit must be objective and impartial to the organization.
This underlies that anyone involved in the ISMS development or operating the controls being audited must not be appointed as the auditor to avoid any conflict of interest. Apart from that, the auditor must have an in-depth understanding of the ISO standard as well as the auditing procedures required to conduct the ISO 27001 internal audit.
What is the objective of completing an internal ISMS audit?
As mentioned above, internal auditing is a preventive measure taken to identify gaps and remediate deficiencies to ensure that the certification audit process is smooth. It is one of the most proactive approaches an organization takes to confirm that its information security management system is aligned with the standard requirements of ISO 27001.
There are several benefits that organizations can reap after conducting an internal ISMS audit, and they are as follows;
- Objective evaluation: Internal audits provide organizations with unbiased information and insights into the ISMS and its functions.
- Identify non-conformities: Discovering gaps, lapses, and oversights in the policies, procedures, and documentation becomes relatively easier with the help of an internal audit.
- Timely response: Organizations can remediate gaps and lapses in the ISMS before the final certification, saving time and resources.
- Continuous improvement: Internal audits aid organizations in keeping a continuous eye on the functions of ISMS, thereby allowing them to maintain compliance with ISO standards.
- Maintaining the security culture: Internal audits help organizations determine how to communicate with their employees about various procedures and processes.
Step-by-step guide on ISO 27001 internal audit process
Even though an internal audit is a preemptive step performed to test the readiness of ISMS for final certification, it holds significant value. Organizations conducting internal audits to maintain certification must also follow a step-by-step process to ensure that it holds credibility.
Unlike popular opinion, simply selecting an internal auditor and listing the purpose of the ISO 27001 internal audit report is not enough. Below is a step-by-step guide on conducting an ISO 27001 internal audit to help organizations navigate the entire process seamlessly.
Step 1: Create an audit plan
Making an audit plan is the first step in conducting an internal audit. Within this audit plan, information systems should be established clearly. You should also verify all of the ISO guidelines and Annex A requirements that apply to your certification to avoid any misstatements.
Step 2: Review the documentation
In this next section, the internal auditor will review all your documentation, including the scope statement, statement of applicability, policies for information security, risk assessment plan, and risk treatment plan to ensure that everything is aligned with the ISMS’s objectives.
Documentation review will also assist the internal auditor in determining whether your organization has properly implemented ISO standard controls or not – which are a critical component of the ISO 27001 internal audit checklist.
Step 3: Management review
As the name suggests, management review requires the entire audit plan to be reviewed and approved by the organization’s management. It is also imperative for the management to schedule review meetings to discuss the findings of the audit report and determine whether or not the organization is prepared for the certification audit.
Step 4: Begin the internal audit
Following a review of the documentation, the auditor will evaluate your ISMS by performing audit tests, documenting the results, and collecting evidence to demonstrate what is and isn’t working. The auditor may also conduct staff interviews to determine how well the ISMS is being implemented.
Step 5: Analysis and audit report
During analysis, the auditor will review the collected evidence and map it to the organization’s control objectives with the aim of highlighting the gaps needed to be addressed before the audit certification. All issues or nonconformities discovered during this step require tracking, documentation, and analysis.
Post analysis and identification of non-conformities, the auditor will present the audit report to the management. Aside from the key findings, the internal audit final report also includes
- A summary explaining the key findings of the auditor.
- Detailed information on who will review the report and whether it needs to be classified or not.
- Any corrections, actions, or recommendations if required.
- A statement explaining the audit scope’s limitations
Once the report is submitted, the management must review the report to decide whether the organization is ready to move on to the stage 2 certification audit.
Frequently asked questions (FAQs)
Conducting an ISO 27001 internal audit can lead to a lot of questions, some of which may not be discussed in the article above. To provide you with a complete guide on ISO 27001 internal audits, we have answered some of these questions below.
The most efficient way to avoid making mistakes during the ISO 27001 internal audit is to follow the guidelines to the T. Below are a few things you should keep in mind before kickstarting the audit process;
• Make sure you’ve allotted enough time and resources to the internal audit; set a time limit.
• Communicate the audit schedule to management and staff ahead of time.
• Choose impartial and qualified auditors to conduct the internal audit.
• Avoid any potential areas of conflict between the auditor and the ISMS.
• Give internal audits the attention they deserve; this is not a ‘checkbox’ initiative.
• Audits should be performed on a regular and planned basis.
• Reduce your reliance on key personnel by designating backups.
Like many other standards, ISO 27001 does not specify how frequently an organization must conduct internal audits. Experts recommend that an ISO 27001 internal audit be performed at least once a year. In cases where this isn’t possible, an audit must be conducted every three years at the very least.
Every business’s internal audit is unique since every organization has a different information security management system based on its organizational needs.
Based on this, an ISO 27001 internal audit checklist can be extremely helpful for organizations. The ISO 27001 internal audit checklist is one way for organizations to centralize the entire process. The ISO 27001 internal audit template comprises every clause and Annex A control streamlined in a spreadsheet to guide the internal auditor with the standard requirements.
You can streamline the ISO 27001 internal audit report process by partnering with Scrut Automation. Scrut Automation is a smart and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.